Optus…. Medibank… Canva… Latitude….what do all of these companies all have in common?
Over the last 3 or 4 years, each of the above companies have seen their customers’ private information become compromised after monumental data security breaches. Whilst some of these breaches have been more high-profile or have received more media attention than some of the others, what remains indisputable is the loss of trust from each of their respective consumer bases following their private information falling into the hands of unknown hackers with indiscernible (and potentially malicious) intentions.
How is this relevant for my church or small business?
These data breaches now spark some important questions:
What does this mean for churches and businesses?
What about smaller entities (and even basic religious charities)?
The members of your church congregation may want to ensure that their private and sensitive information is safe in the hands of these aforementioned companies, but they will also want to ensure that these details are also safe in the hands of their own church! This is particularly the case when being on a church database has implications for the categorisation of religious affiliation.
The Federal Government’s agreement in principle to the proposals of the Attorney General’s Privacy Act Review Report have reinforced a need for small businesses and religious institutions to consider the effectiveness of their current systems (or lack thereof) in collecting and protecting the personal and sensitive information they hold, use and/or disclose. In addition to future-proofing your church or business from everchanging privacy laws, designing your operational systems with privacy in mind provides greater confidence to congregants and customers that their private information is secure and reinforces your commitment to serving their best interests.
What is “Privacy by Design”?
The Office of the Australian Information Commissioner provides useful guidance on Privacy by Design. Privacy by Design is the process of “embedding good privacy practices into the design specifications of technologies, business practices and physical infrastructures.”[i] An example of Privacy by Design in action might be completing privacy impact assessments when seeking to collect private information to assist in designing a church or small business’ privacy collection processes.
The importance of Privacy by Design is highlighted by The Australian Privacy Foundation, who reiterates a concept which may be self-obvious based upon the widespread responses to the recent corporate data breaches: “Australians value privacy. They expect that their rights to privacy be recognised and protected.”[ii]
Considering that personal information includes anything that identifies a person – including sounds, images, data and fingerprints (to name but a few methods) – there are numerous ways in an ever-increasing technological age in which privacy expectations might be abused and in which people might feel violated by how their personal information is treated. This remains a truism, even if the privacy law reforms struggle to be, or are never, fully implemented.
Potential Upcoming Reforms: The Privacy Act Review Report and Proposed Reform of the Privacy Act 1988 (Cth)
In 2019, the Department of the Attorney General commenced a review into the Privacy Act 1988 (Cth) – the predominant piece of legislation governing privacy protection obligations of Australian businesses and not-for-profit entities – to ensure the Act’s provisions and protections remained fit for purpose.
The review culminated in the release of the Privacy Act Review Report 2022 (the “Privacy Report”), in which a number of recommendations were put forth to amend the Privacy Act – the aim being to increase the Act’s regulatory effectiveness and to bring the Act more closely into line with the expectations of the community.[iii]
Are small churches and small businesses exempt from the Privacy Act?
Normally, small businesses are exempt from the obligations imposed by the Privacy Act by virtue of the “Small Business Exemption”.[iv] This is because the Privacy Act does not currently apply to persons or entities who are “small business operators” (i.e. persons or entities that carry on exclusively one or more “small business[es]”). Where a business has an annual turnover of less than $3 million and does not fall within a specific exception under the Privacy Act, that business will likely be a “small business” and exempt from Privacy Act obligations (although, if you operate a business that is not a small business and also operate a small business then this exemption may not apply).
However, the Government has recently “agree[d] in-principle” with the Privacy Report’s recommendation to remove the Small Business Exemption.[v] This proposal, if actioned, would mean that small business operators would have duties under the Privacy Act governing how they use, protect and secure the personal and sensitive information with which they come into contact. Such changes would be particularly relevant to small religious organisations, as the information that these entities often hold about the “religious beliefs or affiliations” of persons is likely to be “sensitive information” to which the Act attaches significant privacy obligations.
The Government has outlined that prior to any legislative reform there will likely be a further period of consultation with small businesses to examine the impacts of any proposed removal of the exemption. Whilst there is no draft legislation yet proposed which scopes the extent of any changes to the Privacy Act, nor has there been an indication of when we are likely to see any such legislation, the Government’s initial responses mark the commencement of a valuable opportunity for small businesses to start considering whether their privacy policies and data protection mechanisms are up to standard.
A Cyber Expert’s Opinion
To assist small businesses in the consideration of their data privacy and information security procedures, we asked Brett Randall, founder of technology consultancy group Fractl with over 20 years’ experience in technology management, for his insights into some common questions small businesses and churches might have.
Q. What is a Privacy Impact Assessment, and how can it assist small organisations in upholding privacy obligations?
A. “Generally, before a new information-related project starts, such as the roll-out of a new Church Management System, a privacy impact assessment should be conducted. As the title suggests, this assesses what the impact of this system on the privacy of the individuals affected will be and determines if there are any gaps between what the law requires, and what the project or system delivers. When conducted properly, it offers a high level of assurance to organisations that they have met their privacy obligations and are effectively protecting their constituents and stakeholders. The Office of the Australian Information Commissioner outlines the ten recommended steps to undertake a PIA, which all organisations should go through ideally prior to, but even after, a new system is implemented.”[vi]
Q. What is the first thing you would suggest to an organisation that has already collected personal information?
A. “Start with this very easy exercise: write down what systems you might have people’s data in, what types of information you are storing, and, for each system, who has access to it. Now, think about if there is any data you don’t actually need to keep. Note this down, and work to minimise the data you are storing, as well as who has access to it. The less you have, the less that can be lost.”
Q. What does “best practice” privacy look like for churches and similar religious institutions?
A. “We must remember that privacy exists as a right and a law, so that people feel, and are, safe. For churches, nonprofits and other religious institutions, a commonality within their missions is to help people live their lives to the full – safely, effectively, and with opportunities to grow. In the era we’re in, a privacy breach isn’t just an inconvenience – it can literally lead to life-threatening situations, as well as significant life-altering events such as identity theft, bankruptcy, and fraud in the name of the impacted individuals. Best practice privacy looks like a leadership who takes privacy seriously, educates themselves on it, and interweaves good privacy practices throughout their organisations.”
Q. What should an organisation do if they find out that the security or privacy of sensitive or personal information in their possession has been compromised?
A. “Most churches don’t have the capacity to keep technology and legal people on-staff for these possible events. So, look for people you trust now who you can start talking to about security and privacy, so that you can start to make some positive adjustments as well as know who to turn to if there is ever a compromise. In most breaches, technology experts are required to ascertain the extent of the breach, and legal and risk experts determine how to report it, and to whom, to minimise harm both to the individuals affected as well as to your organisation.”
If your organisation is seeking to understand its privacy requirements, or if you are looking to review your current privacy policies and systems, let the experienced team at Corney & Lind Lawyers assist you. Give us a call today on (07) 3252 0011 or send us an enquiry by filling out our online form available here.
About the Authors:
Tim Whincop, Director, Corney & Lind Lawyers
Jackson Litzow, Lawyer, Corney & Lind Lawyers
Brett Randall, Founder, Fractl
[i] ‘Privacy By Design’ can be found here: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/privacy-by-design.
[ii] Australian Privacy Charter, December 1994.
[iii] The Privacy Act Review Report (2022) can be found here: https://www.ag.gov.au/rights-and-protections/publications/privacy-act-review-report
[iv] See Privacy Act 1988 (Cth) s 6D.
[v] See in particular page 6 of the Government Response: Privacy Act Review Report (2023) available here: https://www.ag.gov.au/rights-and-protections/publications/government-response-privacy-act-review-report; and Proposal 6.1 of the Privacy Act Review Report (2022).
[vi] The ten steps can be found here: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-impact-assessments/guide-to-undertaking-privacy-impact-assessments